VeriSign Warns of DNS Security Risks

The CSO of VeriSign discusses his concerns about domain collisions and the risks they entail.

Danny McPherson, the chief security officer of VeriSign, is worried about the future security of the Domain Name System (DNS), which his company helps to keep stable and secure. Among the biggest risks is the continued stability of DNS in an era where domain name collisions are growing.
The DNS risks that VeriSign sees are outlined in a 33-page report titled "SSR3: Security, Stability, Resiliency Update: Operational Foreshocks" that has not yet been publicly published by VeriSign.
A domain name collision occurs when a publicly reachable top-level domain has the same name as a privately addressable name on a company or carrier network. For example, if an enterprise network has a .domain (dot-domain) name space in its own network, it would be considered a collision if there was also a .domain (dot-domain) top-level domain that is publicly reachable over the Internet. With the increase in new top-level domains in 2014, there has been an increase in domain name collisions.
"There have been domain name collisions that have resulted in network interruptions for enterprises," McPherson told eWEEK. "There have also been cases where confusion and usability with the new top-level domains have led to phishing attacks." One of the reasons why the Internet has been successful is because DNS provides a stable navigation anchor, according to McPherson. VeriSign helps operate some of the root DNS servers that enable the modern Internet to function. VeriSign is also the manager of the popular dot-com and dot-net domain registries, which it operates under contract with the Internet Corporation for Assigned Names and Numbers (ICANN).

"If you type a domain name into a Web browser, you expect to get predictable results," McPherson said. "One of the biggest concerns we have is that if people are not adequately prepared for new generic top-level domains (gTLDs) or if the root DNS server systems become unstable in some manner, it could lead to the fragmentation of the Internet."

The risk of domain name collisions means that new gTLDs may not necessarily work deterministically across the Internet, as some carriers or organizations may choose to only support their own view of the Internet domain name space.
McPherson suggests that reaching out proactively to organizations about new gTLDs before they are implemented can help to limit risks.
"Unless you do a qualitative analysis and give people fair warning, some gTLDs will be blocked," he said.
From an overall infrastructure perspective, VeriSign has long been investing in the future of DNS. In 2010, VeriSign announced its Apollo project, which was set to invest $300 million into DNS infrastructure. The goal of Apollo was to have DNS prepared to handle the challenge of Internet usage for the year 2020.
"We continue to invest in our infrastructure to deal with everything from new system loads to new attack vectors," McPherson said. "We're comfortable with our investment, and we're doing everything that we believe needs to be done and we will continue to do that in the future."
One of the increasing threats for VeriSign is that of large-scale volumetric attacks against its systems. In the second quarter of 2014, VeriSign reported that it was hit with a 300G-bps distributed denial-of-service (DDoS) attack.
"We absorbed that 300G-bps attack with no operational impact to our infrastructure and were still able to provide 100 percent availability and uptime of our infrastructure," McPherson said.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.